MikeBronner
Programmer
Could someone post an example of ASP code used to query LDAP without any proprietary components?
Thanks! Take Care,
Mike
Thanks! Take Care,
Mike
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Example of ASP LDAP query string? 14
- Thread starter MikeBronner
- Start date
- Status
kondakindi
IS-IT--Management
Hi Zcolton,
I am new to Ldap concept. I need to do a simple authentication. I tried doing it by using the code u gave earlier but i am getting not authenticated even when i pass the correct username and pwd.
I am hereby pasting the code:
do let me know if i am doing something wrong.....
<%@LANGUAGE="VBSCRIPT"%>
<% on error resume next
fscompleted = request.QueryString("f")
if fscompleted = 1 then
ResultHTML = ProcessForm
else
ResultHTML = "<BR>"
end if
Function ProcessForm
on error resume next
const ADS_SECURE_AUTHENTICATION=&h0001
ousername=request.form("username")
opassword=request.Form("password")
DN="LDAP.NJIT.EDU/ou=people,o=NJIT,c=US"
SET mynamespace= GetObject("LDAP:")
set X = mynamespace.OpenDSObject(DN,ousername,opassword,ADS_SECURE_AUTHENTICATION)
if err.number=0 then
HTML = "<p>Authenticated</p>"
else
HTML = "<p> Not Authenticated </p>"
end if
set mynamespace= Nothing
set X= Nothing
ProcessForm=HTML
end function
PostURL = Request.ServerVariables("SCRIPT_NAME") & "?f=1"
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>
<body>
<%=ResultHTML%>
<%
if request.QueryString("f")="" then
%>
<form method="post" action="<%=PostURL%>">
<p>username : <input type="text" name="username" size=10></p>
<p>Password : <input type="password" name="password" size=10></p>
<input type=submit name=submitbutton value="authenticate">
</form>
<%end if%>
</body>
</html>
thanks
I am new to Ldap concept. I need to do a simple authentication. I tried doing it by using the code u gave earlier but i am getting not authenticated even when i pass the correct username and pwd.
I am hereby pasting the code:
do let me know if i am doing something wrong.....
<%@LANGUAGE="VBSCRIPT"%>
<% on error resume next
fscompleted = request.QueryString("f")
if fscompleted = 1 then
ResultHTML = ProcessForm
else
ResultHTML = "<BR>"
end if
Function ProcessForm
on error resume next
const ADS_SECURE_AUTHENTICATION=&h0001
ousername=request.form("username")
opassword=request.Form("password")
DN="LDAP.NJIT.EDU/ou=people,o=NJIT,c=US"
SET mynamespace= GetObject("LDAP:")
set X = mynamespace.OpenDSObject(DN,ousername,opassword,ADS_SECURE_AUTHENTICATION)
if err.number=0 then
HTML = "<p>Authenticated</p>"
else
HTML = "<p> Not Authenticated </p>"
end if
set mynamespace= Nothing
set X= Nothing
ProcessForm=HTML
end function
PostURL = Request.ServerVariables("SCRIPT_NAME") & "?f=1"
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>
<body>
<%=ResultHTML%>
<%
if request.QueryString("f")="" then
%>
<form method="post" action="<%=PostURL%>">
<p>username : <input type="text" name="username" size=10></p>
<p>Password : <input type="password" name="password" size=10></p>
<input type=submit name=submitbutton value="authenticate">
</form>
<%end if%>
</body>
</html>
thanks
valdeloire
Technical User
zcolton,
Thanks for your assistance on the web form. I have it working correctly now. I have also added a few things that are specific to our active directory that we wanted to have in the look up. It works great.
Thanks for your assistance on the web form. I have it working correctly now. I have also added a few things that are specific to our active directory that we wanted to have in the look up. It works great.
kondakindi
IS-IT--Management
Zcolton,
I tried both the things but it is still giving me the same result.
I tried both the things but it is still giving me the same result.
kondakindi
IS-IT--Management
Zcolton,
i tried the changes u said but the problem persists and the page gives me not authenticated. i tried to figure out what the error is and the error code it gave is -2147016662.
i searched for this error but was unable to resolve this problem. can u suggest anything?
thanks
i tried the changes u said but the problem persists and the page gives me not authenticated. i tried to figure out what the error is and the error code it gave is -2147016662.
i searched for this error but was unable to resolve this problem. can u suggest anything?
thanks
kondakindi,
The only thing I can suggest is that the string for the DN is not correct. The string should be:
LDAP://servername.domain.com/dc=domain,dc=com
I don't know what else to tell you.
To anyone else:
Are there any questions waiting for a reply? I've lost track.
zcolton
The only thing I can suggest is that the string for the DN is not correct. The string should be:
LDAP://servername.domain.com/dc=domain,dc=com
I don't know what else to tell you.
To anyone else:
Are there any questions waiting for a reply? I've lost track.
zcolton
zcolton & jbigham, thanks for your contributions here. I've used your code a couple weeks ago for a phone directory search. My page simply calls itself to display the listing, so I've only got one file, phonedir.asp.
My question is this; I've got a lot of users in AD in different folders by location and department, etc.
I'm trying to exclude disabled users, but can't seem to get the right variable/property name (i.e. WHERE isuserdisabled="True"). Here's my current line:
Com.CommandText ="select name,department,telephonenumber,facsimileTelephoneNumber from 'GC://"+objADsPath+"' WHERE objectCategory='User' AND(department = '" & strUserInput & "' OR name = '" & strUserInput & "' OR telephonenumber = '" & strUserInput & "')"
Any ideas would be appreciated!
My question is this; I've got a lot of users in AD in different folders by location and department, etc.
I'm trying to exclude disabled users, but can't seem to get the right variable/property name (i.e. WHERE isuserdisabled="True"). Here's my current line:
Com.CommandText ="select name,department,telephonenumber,facsimileTelephoneNumber from 'GC://"+objADsPath+"' WHERE objectCategory='User' AND(department = '" & strUserInput & "' OR name = '" & strUserInput & "' OR telephonenumber = '" & strUserInput & "')"
Any ideas would be appreciated!
The link is the MSDN article on the property. The second is a page I wrote that lists disabled users. This should be enough info to get you pointed in the right direction.
Code:
<%@ Language=VBScript %>
<%
Option Explicit
response.buffer = true
Dim con,rs,Com,objADsPath,objDomain,objADOU,intUAC
Const ADS_UF_ACCOUNTDISABLE = 2
%>
<html>
<head>
</head>
<body topmargin="0" leftmargin="0" bgcolor="#CCCCCC">
<%
Set objDomain = GetObject ("GC://rootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection")
con.provider ="ADsDSOObject"
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command")
Set Com.ActiveConnection = con
Com.Properties("Cache Results") = False
Com.CommandText ="select userAccountControl,name from 'LDAP://"+objADsPath+"' WHERE objectCategory='person'"
Set rs = Com.Execute
While not rs.eof
intUAC=rs.fields("userAccountControl")
If intUAC AND ADS_UF_ACCOUNTDISABLE Then
response.write rs.fields("name")&" is disabled.<br>"
End If
rs.movenext
Wend
rs.close
set rs=nothing
con.close
set con=nothing
%>
</body>
</html>Well, that doesn't seem to be working either, maybe you can tell me what I'm missing. Here's all the relevant code (I think).
If Request.Form("DisplayData") = "Yes" Then
Dim txtInput
Dim shader
Dim tablecode
strUserInput = "*" & Request.Form("txtInput") & "*"
shader = "header"
tablecode = "<Table border=0 style='"'padding:20px 0px 0px 20px'"'>"
groupdsn=request.querystring("group")
If groupdsn="" then
Set objDomain = GetObject ("GC://rootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection")
con.provider ="ADsDSOObject"
con.Properties("User ID") = "dcc\xxxxxxxx"
con.Properties("Password") = "xxxxxx"
con.Properties("Encrypt Password") = False
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command")
Set Com.ActiveConnection = con
' Com.CommandText ="select name,department,telephonenumber,facsimileTelephoneNumber from 'GC://"+objADsPath+"' WHERE objectCategory='User' AND telephonenumber='' AND(department = '" & strUserInput & "' OR name = '" & strUserInput & "' OR telephonenumber = '" & strUserInput & "')"
Com.CommantText ="select userAccountControl,name from 'LDAP://"+objADsPath+"' Where objectCategory='person'"
Set rs = Com.Execute
shader = "blue"
If rs.EOF then
Call CloseAll
response.write "No Results Found."
intUAC=rs.fields("userAccountControl")
If intUAC AND ADS_UF_ACCOUNTDISABLE then
Response.Write tablecode
Response.Write "<tr>"
Response.Write "<td width=155 bgcolor=EAEAEA>"
Response.Write "<strong>Name</strong>"
Response.Write "</td>"
Response.Write "<td width=160 bgcolor=EAEAEA>"
Response.Write "<strong>Voice</strong>"
If Request.Form("DisplayData") = "Yes" Then
Dim txtInput
Dim shader
Dim tablecode
strUserInput = "*" & Request.Form("txtInput") & "*"
shader = "header"
tablecode = "<Table border=0 style='"'padding:20px 0px 0px 20px'"'>"
groupdsn=request.querystring("group")
If groupdsn="" then
Set objDomain = GetObject ("GC://rootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection")
con.provider ="ADsDSOObject"
con.Properties("User ID") = "dcc\xxxxxxxx"
con.Properties("Password") = "xxxxxx"
con.Properties("Encrypt Password") = False
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command")
Set Com.ActiveConnection = con
' Com.CommandText ="select name,department,telephonenumber,facsimileTelephoneNumber from 'GC://"+objADsPath+"' WHERE objectCategory='User' AND telephonenumber='' AND(department = '" & strUserInput & "' OR name = '" & strUserInput & "' OR telephonenumber = '" & strUserInput & "')"
Com.CommantText ="select userAccountControl,name from 'LDAP://"+objADsPath+"' Where objectCategory='person'"
Set rs = Com.Execute
shader = "blue"
If rs.EOF then
Call CloseAll
response.write "No Results Found."
intUAC=rs.fields("userAccountControl")
If intUAC AND ADS_UF_ACCOUNTDISABLE then
Response.Write tablecode
Response.Write "<tr>"
Response.Write "<td width=155 bgcolor=EAEAEA>"
Response.Write "<strong>Name</strong>"
Response.Write "</td>"
Response.Write "<td width=160 bgcolor=EAEAEA>"
Response.Write "<strong>Voice</strong>"
I can't see an edit feature, and my code looks a bit difficult to read, so I appologize, I should've previewed.
Also, thanks for your response ZColton.
Here's the error I get when I try it with your com.commandtext.
Microsoft VBScript runtim error '800a01b6'
Object doesn't support this property or method: 'CommandText'
/dir/phonedir.asp
Thanks again!
Also, thanks for your response ZColton.
Here's the error I get when I try it with your com.commandtext.
Microsoft VBScript runtim error '800a01b6'
Object doesn't support this property or method: 'CommandText'
/dir/phonedir.asp
Thanks again!
CityWebGuy
MIS
zcolton - I need your help.
Here is our problem. We have 2 different domains. Domain1 and Domain2 where Domain2 is under Domain1 but there is an Trust between the two.
Here is the code
SET obSys = CreateObject("ADSystemInfo")
SET adsUser = GetObject("LDAP://" & obSys.username)
This is running on a Web Server that is also set as an DC in Domain1 also I am running Intergrated Authentication on the Web Server.
When an user from Domain1 accesses the page it works. When an user from Domain2 accesses the page it does not work they are getting Error Number -2147016672.
Do you have any insite to what kind of Group Policy setting or anything that I need to check as what is causing this to occur?
PS. I know this is possible because it worked a few weeks again until our network Admin started playing with GP.
Thanks for any help.
City Web Guy.
Here is our problem. We have 2 different domains. Domain1 and Domain2 where Domain2 is under Domain1 but there is an Trust between the two.
Here is the code
SET obSys = CreateObject("ADSystemInfo")
SET adsUser = GetObject("LDAP://" & obSys.username)
This is running on a Web Server that is also set as an DC in Domain1 also I am running Intergrated Authentication on the Web Server.
When an user from Domain1 accesses the page it works. When an user from Domain2 accesses the page it does not work they are getting Error Number -2147016672.
Do you have any insite to what kind of Group Policy setting or anything that I need to check as what is causing this to occur?
PS. I know this is possible because it worked a few weeks again until our network Admin started playing with GP.
Thanks for any help.
City Web Guy.
Hi,
Anyone know how it could be that the following script runs fine on our (win2k) webserver, but does not run from a client machine (win2k) using the exact same domain admin user.
the site runs under intergrated authentication
on the client machine it gives the following:
-----------
error '80005000'
/adsibook2.asp, line 19
-----------
i'm breaking my head over this :-(
Anyone know how it could be that the following script runs fine on our (win2k) webserver, but does not run from a client machine (win2k) using the exact same domain admin user.
the site runs under intergrated authentication
Code:
Dim RootDSE
Dim UserContainer
Dim User
Dim RelativePathFromDomainToUserContainer
RelativePathFromDomainToUserContainer = "OU=Helpdesk,OU=Beheerders,OU=CAK-USERS,"
Set RootDSE = GetObject("LDAP://RootDSE")
Set UserContainer = GetObject("LDAP://" & RelativePathFromDomainToUserContainer & RootDSE.Get("DefaultNamingContext"))
UserContainer.Filter = Array("User")
For Each User in Usercontainer
Response.Write User.AdsPath & "<BR>"
Nexton the client machine it gives the following:
-----------
error '80005000'
/adsibook2.asp, line 19
-----------
i'm breaking my head over this :-(
CityWebGuy
MIS
Hey Guys Any thought om my last post of LDAP over multiple domains? We are about to launch this new setup this weekend and I need any thought on how I can get this to work again.
thanks
City Web Guy
thanks
City Web Guy
CityWebGuy
MIS
Here is an update...
If I switch the server to Basic Authentication instead of Intergrated Authentication it works.
Does anyone know why this is? I really need to use Intergrated Authentication.
Thanks for any help
City Web Guy
If I switch the server to Basic Authentication instead of Intergrated Authentication it works.
Does anyone know why this is? I really need to use Intergrated Authentication.
Thanks for any help
City Web Guy
CityWebGuy,
I believe the issue you are having is known as Double Impersonation. When only using Integrated Authentication, the IIS server does not know what your password is, because it is a Hash.
I use similar code but providing account information.
Set openDS = GetObject("LDAP:")
Set objADSI = openDS.OpenDSObject("LDAP://" & strDN, strDomainSpecificUserID, strDomainSpecificPassword, ADS_SECURE_AUTHENTICATION)
When the user from the child domain visits, the IIS server is attempting to bind to a DC in another domain. Just because the domain is a parent, doesn't mean it (IIS) has permissions in the child, as the domain is the security boundry.
You may try getting the information from the GC, if the property is replicated. If not, it's easy to replicate whatever you want to the GC.
I believe the issue you are having is known as Double Impersonation. When only using Integrated Authentication, the IIS server does not know what your password is, because it is a Hash.
I use similar code but providing account information.
Set openDS = GetObject("LDAP:")
Set objADSI = openDS.OpenDSObject("LDAP://" & strDN, strDomainSpecificUserID, strDomainSpecificPassword, ADS_SECURE_AUTHENTICATION)
When the user from the child domain visits, the IIS server is attempting to bind to a DC in another domain. Just because the domain is a parent, doesn't mean it (IIS) has permissions in the child, as the domain is the security boundry.
You may try getting the information from the GC, if the property is replicated. If not, it's easy to replicate whatever you want to the GC.
CityWebGuy
MIS
mooka, Thanks for the reply.
I have decided to go with the GC. and I am using code simular to this but I am having a little problem....
<%
strUsername = Request.ServerVariables("auth_user")
strUserName = Right(strUserName, Len(strUserName) - InStrRev(strUserName, "\"))
Set objDomain = GetObject ("GC://rootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection")
con.provider ="ADsDSOObject"
con.Properties("User ID") = "[Domain]\adsearchUser"
con.Properties("Password") = "adsearchUserPass"
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command")
Set Com.ActiveConnection = con
Com.CommandText ="select [Fields needed]FROM 'GC://"+objADsPath+"' where sAMAccountname='"+strUsername+"'"
Set rs = Com.Execute
response.write rs([Fields needed])
rs.Close
con.Close
Set rs = Nothing
Set con = Nothing
%>
I can run this on the web server and it works fine. If I run this on a machine that is calling the web server I get Error: Table does not exist.
I know you have to hard code a username and Password. I finnally got permission to do this, but this might be a stupid question. What permissions do I need to set on this user so that I can pull the query with this User from page away from the server? I am running an Windows 2000/2003 domain.
Thanks for any help.
City Web Guy.
I have decided to go with the GC. and I am using code simular to this but I am having a little problem....
<%
strUsername = Request.ServerVariables("auth_user")
strUserName = Right(strUserName, Len(strUserName) - InStrRev(strUserName, "\"))
Set objDomain = GetObject ("GC://rootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection")
con.provider ="ADsDSOObject"
con.Properties("User ID") = "[Domain]\adsearchUser"
con.Properties("Password") = "adsearchUserPass"
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command")
Set Com.ActiveConnection = con
Com.CommandText ="select [Fields needed]FROM 'GC://"+objADsPath+"' where sAMAccountname='"+strUsername+"'"
Set rs = Com.Execute
response.write rs([Fields needed])
rs.Close
con.Close
Set rs = Nothing
Set con = Nothing
%>
I can run this on the web server and it works fine. If I run this on a machine that is calling the web server I get Error: Table does not exist.
I know you have to hard code a username and Password. I finnally got permission to do this, but this might be a stupid question. What permissions do I need to set on this user so that I can pull the query with this User from page away from the server? I am running an Windows 2000/2003 domain.
Thanks for any help.
City Web Guy.
CityWebGuy,
If you are using any type of user authentication (intergrated or basic) you should NOT hardcode user credentials in the web page. Make sure that anonymous access is disabled. This way IIS will run the code under the context of the user accessing the page. Also:
1) an IIS should not be a domain controller, but just a domain member
2) If everything worked before they started "playing" with group policies, check out the group policies. There may be a setting that restricts access accross domains. I'm not sure; that would take a little research.
Chriscak,
Security, security, security. Most of the time, problems access LDAP is a security issue. Things to check: under whos context is the script running; authentication method configured in IIS (anonymous, basic, integrated) Is integrated enabled on the client;
Atmosfear,
Check your code: Com.CommantText should be Com.CommandText
Simple typo
If you are using any type of user authentication (intergrated or basic) you should NOT hardcode user credentials in the web page. Make sure that anonymous access is disabled. This way IIS will run the code under the context of the user accessing the page. Also:
1) an IIS should not be a domain controller, but just a domain member
2) If everything worked before they started "playing" with group policies, check out the group policies. There may be a setting that restricts access accross domains. I'm not sure; that would take a little research.
Chriscak,
Security, security, security. Most of the time, problems access LDAP is a security issue. Things to check: under whos context is the script running; authentication method configured in IIS (anonymous, basic, integrated) Is integrated enabled on the client;
Atmosfear,
Check your code: Com.CommantText should be Com.CommandText
Simple typo
- Status
Similar threads
- Locked
- Question
- Locked
- Question